signal app
@feonixrift Could you kindly point me to something detailing why the move is considered bad? From what I read, they try to move away from phone numbers as identifiers which is in my book a very good and very long overdue point. They don't store stuff non-encrypted and they themselves don't have any keys. So is this just about the specific technique to verify the key? I need more info about why this is troublesome..
signal app
@Chaos_99
if you think that you can be sure that on the AWS servers something is secure check the #EncroChat #stuxnet
@feonixrift
signal app
@Br0m3x @feonixrift
I admit that I don't know enough about SVX or the TEE module to assess if it's safe on machines you don't control.
But #EncroChat was broken by taking over the android devices and #stuxnet used USB drives and attacked SCADA systems and Siemens PLC industrial controllers. I don't see how any of them are relevant here.
signal app
@Chaos_99
Try to think in a holistic way. If the state wants to hack 'Signal server' they will do that. Period. If something is centralised it is much easier for them. #Encrochat they probably compromised servers then devices. Encrochat had ca. 60 000 customers worldwide, Police arrested ca. 800. It means the states intercepted messages of thousands of innocent people.
#Stuxnet - I would say that everything depends on how much the state wants to achieve something.
@feonixrift
signal app
I'll get your point. But it's exactly the point of Signal to build a system where hacking/owning the infrastructure will NOT compromise the messages/users. State-power adversaries is literary their threat model. Unless you can point out a specific flaw in the implementation or design, you are just ranting about the surveillance state and not add anything to the discussion about signal.
signal app
Do you know what is implemented? Good for you.:)
@Br0m3x Signal is Free Software, the source code is available on GitHub, if you can’t audit it yourself just pay someone to do it (it’ll benefit the whole community).
If you don’t want to read code but trust them enough to accept their documentation as a proof, just read their blog, the whole PIN + SGX is fairly well explained.
I did, and the code basically looks like a raw dumped copy of internal repos with almost no documentation or comments. Looks more like a proprietary project with code reluctantly published, rather than open-source project.
There's also no trusted path between the source code and what is published into Google Play store, although there is one for the F-Droid version.
